As known, the calico/node could run inside a contianer, including the fleix. I do not understand how it r/w the iptables rules and routes at the host, since both in different network namespace.
Sorry, I forget the container uses host network (--net=host), so it could access the iptables and ip routes on host.